1 // $Id: chcontext.c,v 1.24 2005/03/22 15:05:24 ensc Exp $
3 // Copyright (C) 2003,2004 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
4 // based on chcontext.cc by Jacques Gelinas
6 // This program is free software; you can redistribute it and/or modify
7 // it under the terms of the GNU General Public License as published by
8 // the Free Software Foundation; either version 2, or (at your option)
11 // This program is distributed in the hope that it will be useful,
12 // but WITHOUT ANY WARRANTY; without even the implied warranty of
13 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 // GNU General Public License for more details.
16 // You should have received a copy of the GNU General Public License
17 // along with this program; if not, write to the Free Software
18 // Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
21 chcontext is a wrapper to user the new_s_context system call. It
22 does little more than mapping command line option to the system call
32 #include "lib_internal/jail.h"
45 #define ENSC_WRAPPERS_PREFIX "chcontext: "
46 #define ENSC_WRAPPERS_VSERVER 1
47 #define ENSC_WRAPPERS_UNISTD 1
48 #define ENSC_WRAPPERS_FCNTL 1
51 #define CMD_HELP 0x1000
52 #define CMD_VERSION 0x1001
53 #define CMD_CAP 0x4000
54 #define CMD_CTX 0x4001
55 #define CMD_DISCONNECT 0x4002
56 #define CMD_DOMAINNAME 0x4003
57 #define CMD_FLAG 0x4004
58 #define CMD_HOSTNAME 0x4005
59 #define CMD_SECURE 0x4006
60 #define CMD_SILENT 0x4007
62 int wrapper_exit_code = 255;
66 { "help", no_argument, 0, CMD_HELP },
67 { "version", no_argument, 0, CMD_VERSION },
68 { "cap", required_argument, 0, CMD_CAP },
69 { "ctx", required_argument, 0, CMD_CTX },
70 { "xid", required_argument, 0, CMD_CTX },
71 { "disconnect", no_argument, 0, CMD_DISCONNECT },
72 { "domainname", required_argument, 0, CMD_DOMAINNAME },
73 { "flag", required_argument, 0, CMD_FLAG },
74 { "hostname", required_argument, 0, CMD_HOSTNAME },
75 { "secure", no_argument, 0, CMD_SECURE },
76 { "silent", no_argument, 0, CMD_SILENT },
88 char const * hostname;
89 char const * domainname;
92 static struct Arguments const * global_args = 0;
95 showHelp(int fd, char const *cmd, int res)
97 VSERVER_DECLARE_CMD(cmd);
99 WRITE_MSG(fd, "Usage: ");
102 " [--cap [!]<cap_name>] [--secure] [--xid <num>] [--disconnect]\n"
103 " [--domainname <name>] [--hostname <name>] [--flag <flags>+]\n"
104 " [--silent] [--] command arguments ...\n"
106 "chcontext allocate a new security context and executes\n"
107 "a command in that context.\n"
108 "By default, a new/unused context is allocated\n"
111 " Add a capability from the command. This option may be\n"
112 " repeated several time.\n"
113 " See /usr/include/linux/capability.h\n"
114 " In general, this option is used with the --secure option\n"
115 " --secure removes most critical capabilities and --cap\n"
116 " adds specific ones.\n"
120 " Remove a capability from the command. This option may be\n"
121 " repeated several time.\n"
122 " See /usr/include/linux/capability.h\n"
125 " Select the context. On root in context 0 is allowed to\n"
126 " select a specific context.\n"
127 " Context number 1 is special. It can see all processes\n"
128 " in any contexts, but can't kill them though.\n"
129 " Option --xid may be repeated several times to specify up to 16 contexts.\n"
132 " Start the command in background and make the process\n"
133 " a child of process 1.\n"
135 "--domainname new_domainname\n"
136 " Set the domainname (NIS) in the new security context.\n"
137 " Use \"none\" to unset the domain name.\n"
140 " Set one flag in the new or current security context. The following\n"
141 " flags are supported. The option may be used several time.\n"
143 " fakeinit: The new process will believe it is process number 1.\n"
144 " Useful to run a real /sbin/init in a vserver.\n"
145 " lock: The new process is trapped and can't use chcontext anymore.\n"
146 " sched: The new process and its children will share a common \n"
147 " execution priority.\n"
148 " nproc: Limit the number of process in the vserver according to\n"
149 " ulimit setting. Normally, ulimit is a per user thing.\n"
150 " With this flag, it becomes a per vserver thing.\n"
151 " private: No one can join this security context once created.\n"
152 " ulimit: Apply the current ulimit to the whole context\n"
154 "--hostname new_hostname\n"
155 " Set the hostname in the new security context\n"
156 " This is need because if you create a less privileged\n"
157 " security context, it may be unable to change its hostname\n"
160 " Remove all the capabilities to make a virtual server trustable\n"
163 " Do not print the allocated context number.\n"
165 "Please report bugs to " PACKAGE_BUGREPORT "\n");
174 "chcontext-compat " VERSION " -- allocates/enters a security context\n"
175 "This program is part of " PACKAGE_STRING "\n\n"
176 "Copyright (C) 2003,2004 Enrico Scholz\n"
177 VERSION_COPYRIGHT_DISCLAIMER);
182 setCap(char const *str, uint32_t *add_caps, uint32_t *remove_caps)
194 bit = vc_text2cap(str);
196 if (bit!=-1) *cap |= (1<<bit);
198 WRITE_MSG(2, "Unknown capability '");
201 exit(wrapper_exit_code);
206 setFlags(char const *str, uint32_t *flags)
208 struct vc_err_listparser err;
210 *flags = vc_list2cflag_compat(str, 0, &err);
213 WRITE_MSG(2, "Unknown flag '");
214 Vwrite(2, err.ptr, err.len);
216 exit(wrapper_exit_code);
220 static inline ALWAYSINLINE void
221 setHostname(char const *name)
223 if (name == NULL) return;
225 if (sethostname(name, strlen(name))==-1) {
226 perror("chcontext: sethostname()");
229 if (!global_args->do_silent) {
230 WRITE_MSG(1, "Host name is now ");
236 static inline ALWAYSINLINE void
237 setDomainname(char const *name)
239 if (name == NULL) return;
241 if (setdomainname(name, strlen(name))==-1) {
242 perror("chcontext: setdomainname()");
245 if (!global_args->do_silent) {
246 WRITE_MSG(1, "Domain name is now ");
252 static inline ALWAYSINLINE void
253 tellContext(xid_t ctx)
255 char buf[sizeof(xid_t)*3+2];
258 if (global_args->do_silent) return;
260 l = utilvserver_fmt_long(buf,ctx);
262 WRITE_MSG(1, "New security context is ");
267 #include "context-sync.hc"
269 int main (int argc, char *argv[])
271 struct Arguments args = {
273 .do_disconnect = false,
287 signal(SIGCHLD, SIG_DFL);
290 int c = getopt_long(argc, argv, "+", CMDLINE_OPTIONS, 0);
294 case CMD_HELP : showHelp(1, argv[0], 0);
295 case CMD_VERSION : showVersion();
296 case CMD_DISCONNECT : args.do_disconnect = true; break;
297 case CMD_SILENT : args.do_silent = true; break;
298 case CMD_DOMAINNAME : args.domainname = optarg; break;
299 case CMD_HOSTNAME : args.hostname = optarg; break;
302 setCap(optarg, &args.add_caps, &args.remove_caps);
305 args.remove_caps |= vc_get_insecurebcaps();
308 setFlags(optarg, &args.flags);
312 WRITE_MSG(2, "WARNING: More than one ctx not supported by this version\n");
313 if (args.nbctx>=DIM_OF(args.ctxs)) {
314 WRITE_MSG(2, "Too many contexts given\n");
317 args.ctxs[args.nbctx++] = Evc_xidopt2xid(optarg, true);
322 WRITE_MSG(2, "Try '");
323 WRITE_STR(2, argv[0]);
324 WRITE_MSG(2, " --help\" for more information.\n");
331 WRITE_MSG(2, "No command given; use '--help' for more information.\n");
335 if (args.domainname && strcmp(args.domainname, "none")==0)
336 args.domainname = "";
339 args.ctxs[args.nbctx++] = VC_DYNAMIC_XID;
341 xflags = args.flags & S_CTX_INFO_INIT;
342 args.flags &= ~S_CTX_INFO_INIT;
344 pid = initSync(p, args.do_disconnect);
346 doSyncStage0(p, args.do_disconnect);
348 newctx = Evc_new_s_context(args.ctxs[0],0,args.flags);
349 args.remove_caps &= (~args.add_caps);
350 setHostname(args.hostname);
351 setDomainname(args.domainname);
353 if (args.remove_caps!=0 || xflags!=0)
354 Evc_new_s_context (VC_SAMECTX,args.remove_caps,xflags);
355 tellContext(args.ctxs[0]==VC_DYNAMIC_XID ? newctx : args.ctxs[0]);
357 doSyncStage1(p, args.do_disconnect);
358 execvp (argv[optind],argv+optind);
359 doSyncStage2(p, args.do_disconnect);
361 PERROR_Q("chcontext: execvp", argv[optind]);
365 waitOnSync(pid, p, args.ctxs[0]!=VC_DYNAMIC_XID);
369 #ifdef ENSC_TESTSUITE
370 #define FLAG_TEST(STR,EXP) \
373 setFlags(STR, &flag); \
374 assert(flag==(EXP)); \
377 #define CAP_TEST(STR,EXP_ADD,EXP_DEL) \
379 uint32_t add=0,del=0; \
380 setCap(STR, &add, &del); \
381 assert(add==(EXP_ADD)); \
382 assert(del==(EXP_DEL)); \
388 FLAG_TEST("lock", 1);
389 FLAG_TEST("lock,sched", 3);
391 CAP_TEST("CHOWN", 1, 0);
392 CAP_TEST("CAP_CHOWN", 1, 0);
393 CAP_TEST("!CHOWN", 0, 1);
394 CAP_TEST("!CAP_CHOWN", 0, 1);